Prior to updating my Elastic Stack to v8.2.0, the following winlogbeat drop event processor worked as expected. It only kept Windows Security log event.code 4688 events if the process.parent.name equaled cmd.exe or powershell.*. Of course with v8, winlogbeat started using the security pipeline to format the event information to ECS before sending it to Elasticsearch rather than the old javascript processor.
- drop_event.when:
and:
- equals:
event.code: "4688"
- not.or:
- equals.process.parent.name: cmd.exe
- regexp.process.parent.name: 'powershell.*'
After the upgrade, all of the event.code 4688 events got dropped and none of them are going to Elasticsearch. My current work around is to just remove the drop event processor and do my filtering in Kibana instead. However, I'm curious as to what changed and if there is a way to make the drop event processor work as intended.